Trustwave SpiderLabs Security Advisory TWSL2021-003: Incorrect SSLv2 rollback protection Vulnerability in OpenSSL Published: 02/18/2021 Version: 1.0 Vendor: OpenSSL (http://www.openssl.org) Product: OpenSSL Version affected: 1.0.2s through 1.0.2u (inclusive) Product description: Implementation of SSL/TLS protocol. Finding 1: Incorrect SSLv2 rollback protection Credit: D. Katz of Trustwave Credit: Joel Luellwitz of Trustwave CVE: CVE-2021-23839 CWE: CWE-670 A potential version rollback man-in-the-middle attack was discovered in the OpenSSL 1.0.2u. The error appears to have been introduced in OpenSSL version 1.0.2s via GitHub commit 6555a89 [1]. Presumably, the committer was correcting the code to implement appendix E.3 of RFC-5246 [2] but did not notice associated errata document 2643 [3]. The error completely negates the version rollback protection described in appendix E.3 and causes an OpenSSL server to reject legitimate SSLv2 connection attempts. In the OpenSSL_1_0_2-stable branch, the error is in the RSA_padding_check_SSLv23 function of crypto/rsa/rsa_ssl.c. Line 174 reads: good &= constant_time_ge(threes_in_row, 8); but should read: good &= constant_time_lt(threes_in_row, 8); Additionally lines 106 through 108 reads: * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also * preserves error code reporting for backward compatibility. but should read: * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also * preserves error code reporting for backward compatibility. The affected code intends to prevent a TLS capable connection request from establishing an SSLv2 connection. The server does this by checking for eight consecutive 0x03 bytes at the end of the PKCS#1 padding in the CLIENT-MASTER-KEY message which should be present in all connection requests from TLS capable clients. If this byte pattern is detected, the SSLv2 connection should fail to be established. Conversely, if this byte pattern does not exist, the SSLv2 connection should be allowed to proceed. Due to the above mentioned error, the reverse behavior is observed. Connections from non-TLS capable clients are failing and connections from TLS capable clients will presumably succeed (although we did not attempt this last scenario due to the difficulty of implementation.) For a server to be vulnerable to this rollback attack, OpenSSL must have been configured to be compiled with SSLv2 support. Additionally code utilizing the OpenSSL library must clear the SSL_OP_NO_SSLv2 context option and enable support for deprecated SSLv2 ciphers at runtime. Note: While later releases of OpenSSL do not support SSLv2, and hence are not susceptible to SSLv2 rollback attacks, we want to point out that OpenSSL versions 1.1.0, 1.1.1, and 3.0 (alpha) also contain this erroneous padding code with the inverted logic. Remediation Steps: Due to OpenSSL 1.0.2 is no longer receiving public support, it is recommended to upgrade to the latest stable version of OpenSSL 1.1.1. OpenSSL extended support customers (premium) can upgrade to 1.0.2y. Revision History: 01/21/2021 - Vulnerability disclosed to vendor 02/16/2021 - Patch released by vendor 02/18/2021 - Advisory published References 1. https://github.com/openssl/openssl/commit/6555a8941bd6be5790d3b45c41de23234a8e527f#diff-878dd89498f257616a0a86e2cb49ca72ca359f3d1834673d2b73114306dfd460R174 2. https://tools.ietf.org/html/rfc5246#appendix-E.3 3. https://www.rfc-editor.org/errata/eid2643 About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.